High severityOSV Advisory· Published Dec 12, 2025· Updated Dec 12, 2025
CVE-2025-67819
CVE-2025-67819
Description
An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/weaviate/weaviateGo | >= 1.30.0, < 1.30.20 | 1.30.20 |
github.com/weaviate/weaviateGo | >= 1.31.0-rc.0, < 1.31.19 | 1.31.19 |
github.com/weaviate/weaviateGo | >= 1.32.0-rc.0, < 1.32.16 | 1.32.16 |
github.com/weaviate/weaviateGo | >= 1.33.0-rc.0, < 1.33.4 | 1.33.4 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/weaviate/weaviatepkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 1.30.0, < 1.30.20+ 1 more
- (no CPE)range: >= 1.30.0, < 1.30.20
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-hmmh-292h-3364ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67819ghsaADVISORY
- github.com/weaviate/weaviate/commit/4ff2cc89277c264c37d0f7316d9eb6368cfc30ffghsaWEB
- github.com/weaviate/weaviate/commit/89c2270869e6d64f5b5276b8626c11cd816c6665ghsaWEB
- github.com/weaviate/weaviate/commit/b18cc7ea82d80a61e7943361a6e335e3fd5a49c7ghsaWEB
- weaviate.io/blog/weaviate-security-release-november-2025ghsaWEB
News mentions
0No linked articles in our index yet.